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Introduction 


The Information Commissioner (the Commissioner) is calling for evidence 
and views on the Age Appropriate Design Code (the Code). 


The Code is a requirement of the Data Protection Act 2018 (the Act). The 
Act supports and supplements the implementation of the EU General Data 
Protection Regulation (the GDPR). 


The Code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. Once it has been published, the Commissioner will 
be required to take account of any provisions of the Code she considers to 
be relevant when exercising her regulatory functions. The courts and 
tribunals will also be required to take account of any provisions they 
consider to be relevant in proceedings brought before them. The Code 
may be submitted as evidence in court proceedings. 


Further guidance on how the GDPR applies to children’s personal data can 
be found in our guidance Children and the GDPR. It will be useful to read 
this before responding to the call for evidence, to understand what is 
already required by the GDPR and what the ICO currently recommends as 
best practice. In drafting the Code the ICO may consider suggestions that 
reinforce the specific requirements of the GDPR, or its overarching 
requirement that children merit special protection, but will disregard any 
suggestions that fall below this standard. 


The Commissioner will be responsible for drafting the Code. The Act 
provides that the Commissioner must consult with relevant stakeholders 
when preparing the Code, and submit it to the Secretary of State for 
Parliamentary approval within 18 months of 25 May 2018. She will publish 
the Code once it has been approved by Parliament. 


This call for evidence is the first stage of the consultation process. The 
Commissioner seeks evidence and views on the development stages of 
childhood and age-appropriate design standards for ISS. The 
Commissioner is particularly interested in evidence based submissions 
provided by: bodies representing the views of children or parents; child 
development experts; providers of online services likely to be accessed by 
children, and trade associations representing such providers. She 
appreciates that different stakeholders will have different and particular 
areas of expertise. The Commissioner welcomes responses that are 
limited to specific areas of interest or expertise and only address 
questions within these areas, as well as those that address every question 
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asked. She is not seeking submissions from individual children or parents 
in this call for evidence as she intends to engage with these stakeholder 
groups via other dedicated and specifically tailored means. 


The Commissioner will use the evidence gathered to inform further work 
in developing the content of the Code. 


The scope of the Code 


The Act affords the Commissioner discretion to set such standards of age 
appropriate design as she considers to be desirable, having 

regard to the best interests of children, and to provide such guidance as 
she considers appropriate. 


In exercising this discretion the Act requires the Commissioner to have 
regard to the fact that children have different needs at different ages, and 
to the United Kingdom’s obligations under the United Nations Convention 
on the Rights of the Child. 


During Parliamentary debate the Government committed to supporting 
the Commissioner in her development of the Code by providing her with a 
list of ‘minimum standards to be taken into account when designing it.’ 
The Commissioner will have regard to this list both in this call for 
evidence, and when exercising her discretion to develop such standards 
as she considers to be desirable 


In developing the Code the Commissioner will also take into account that 
the scope and purpose of the Act, and her role in this respect, is limited to 
making provision for the processing of personal data. 


Responses to this call for evidence must be submitted by 19 September 2018. 
You can submit your response in one of the following ways: 


Online 


Download this document and email to: 


childrenandtheGDPR@ICO.org.uk 


Print off this document and post to: 

Age Appropriate Design Code call for evidence 
Engagement Department 

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 
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Cheshire SK9 5AF 


If you would like further information on the call for evidence please 
telephone 0303 123 1113 and ask to speak to the Engagement 
Department about the Age Appropriate Design Code or email 


childrenandtheGDPR@ICO.org.uk 


Privacy statement 

For this call for evidence we will publish responses received from organisations 
but will remove any personal data before publication. We will not publish 
responses from individuals. For more information about what we do with 
personal data please see our privacy notice. 
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Section 1: Your views and evidence 


Please provide us with your views and evidence in the following areas: 


Development needs of children at different ages 


The Act requires the Commissioner to take account of the development 
needs of children at different ages when drafting the Code. 


The Commissioner proposes to use their age ranges set out in the report 
Digital Childhood - addressing childhood development milestones in the 
Digital Environment as a starting point in this respect. This report draws 
upon a number of sources including findings of the United Kingdom 
Council for Child Internet Safety (UKCCIS) Evidence Group in its literature 
review of Children’s online activities risks and safety. 


The proposed age ranges are as follows: 


3-5 
6-9 
10-12 
13-15 
16-17 


Q1. In terms of setting design standards for the processing of children’s 
personal data by providers of ISS (online services), how appropriate you 
consider the above age brackets would be (delete as appropriate): 


Not at all appropriate 
Not really appropriate 
Quite appropriate 
Very appropriate 


Q1A. Please provide any views or evidence on how appropriate you 
consider the above age brackets would be in setting design standards for 
the processing of children’s personal data by providers of ISS (online 
services), 


Different levels of maturity and communication styles obviously vary 
between the age brackets. ISS should be required to impose design 
standards which impose the highest barriers to access for the lower age 
brackets (under 13). Access should be denied without the presence of a 
responsible adult, as indicated by a payment card. 

However, it is important to point out that cultural and socioeconomic 
differences should also be taken into account in setting design standards. 
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Q2. Please provide any views or evidence you have on children’s 
development needs, in an online context in each or any of the above age 
brackets. 


N/A 


The United Nations Convention on the Rights of the Child 


The Data Protection Act 2018 requires the Commissioner to take account 
of the UK’s obligations under the UN Convention on the Rights of the Child 
when drafting the Code. 


Q3. Please provide any views or evidence you have on how the 
Convention might apply in the context of setting design standards for the 
processing of children’s personal data by providers of ISS (online 
services) 


CRC core principles - and relevant design standards. 
Non-discrimination 


Care should be taken to be inclusive of all cultures, ethnicity and levels of 
ability in the design of communication around the processing of personal 
data. For example, an approach which embraces a majority group might 
exclude less represented cultures or immigrant or ethnic groups. 


Best Interest of the Child 


See above. Before and as data is processed, children should be informed 
in appropriate language of their rights including the right of erasure, and 
how those rights can be enforced. Standard icons may be helpful. 
Standards should also enable access to the child’s legal guardian who 
may be in a better position to gauge the child’s best interests - taking 
overall responsibility for the processing of that child’s data - especially 
when the child is very young. 


Design should aim at establishing parental consent, offering robust 
processes for verifying the identity of purported guardian/adult and their 
role in that child’s life. 


One approach would be for the standards to specify a standard higher 
than ‘reasonable effort’ in verification processes. Processing of data 
should not proceed until verification of responsible adult has succeeded. 
Privacy by design ought to be the overriding principle and PbD needs to 
be explained in guidance in ways which are relevant to protecting the 
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interests of children. In particular the safeguarding of children against on- 
line grooming as social media in particular offers unprecedented 
opportunities for child exploitation. 


Development and Protection 


Design standards should work towards ‘Data minimisation’ principle with 
regards to collecting as little as possible and only keeping data set for as 
long as necessary. This in particular needs strong enforcement with 
regards to children’s legal rights. 


enable automatic erasure of personal data as a default if consent to retain 
data is not obtained periodically - say on an annual basis - by the child 
and a responsible adult. 


Each data set collected should be subject to methodical, repetitive and 
consistent prompting (interactive interface) before and after which 
emphasises the purpose and use of the data as well as reminding the 
child of their rights in a transparent way ie. ‘child speak’ bearing in mind 
the age group of the child as primary school age needs will be different to 
those of a teenager. Design should also clearly communicate how 
breaches will be reported and steps to be taken by the child in the event 
of any concerns about the use of their personal data - including erasure 
requests. 


Passive collection of personal data (use of geolocation technology) should 
be redesigned with the principle of Privacy by Design in mind & data 
minimisation. i.e. introduce an active element (consenting, etc). Design 
should also facilitate the detection of improper use of data collected 
(alerting the user and/or authorities, valid data via built-in tools to check 
data integrity. 


Participation 


Another principle of the Convention, participation can be built into the 
process - with a liberal use of prompts and questions inviting responses 
from the child to key aspects of their interaction with the ISS. 

Aspects of design 

The Government has provided the Commissioner with a list of areas which 


it proposes she should take into account when drafting the Code. 


These are as follows: 
e default privacy settings, 
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e data minimisation standards, 

e the presentation and language of terms and conditions and privacy 
notices, 

e uses of geolocation technology, 

e automated and semi-automated profiling, 

e transparency of paid-for activity such as product placement and 
marketing, 

e the sharing and resale of data, 

e user reporting and resolution processes and systems, 

e the ability to understand and activate a child’s right to erasure, 
rectification and restriction, 

e the ability to access advice from independent, specialist advocates 
on all data rights, and 

e any other aspect of design that the commissioner considers 
relevant. 


Q4. Please provide any views or evidence you think the Commissioner 
should take into account when explaining the meaning and coverage of 
these terms in the code. 


Online bullying and blackmail have become a real problem among young 
people. Since the new anti-grooming measure that came into effect in 
April 2017, police in England and Wales have recorded 3,171 crimes 
involving sexual communication with a child which averages out at about 
nine per day with the youngest child according to statistics being just five 
years of age. 


Facebook, Snapchat and Insta were used in 70% of the 2,097 of cases 
where police revealed the methods and the number of calls to Childline 
for counselling sessions about cyberbullying have gone up also, increasing 
by 12% to 5,103. 


Finding ways to facilitate the child’s exercise of the right of erasure is of 
critical importance. 


A suggestion of machine learning or AI tools to detect suspicious 
behaviour would be appropriate in these instances. 


Q5. Please provide any views or evidence you have on the following: 
Q5A. about the opportunities and challenges you think might arise in 
setting design standards for the processing of children’s personal data by 
providers of ISS (online services), in each or any of the above areas. 
More robust age verification processes will receive strong pushback from 


social media platforms whose business models rely on user growth and 
engagement. It’s not in their commercial interests to make it more 
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difficult for a user to sign up, although it should be in their ethical interest 
to ensure children under the age of consent cannot create an account. Or 
if they do, this should be checked with a guardian. 


Challenges will also arise around applying design standards around 
gamification. As above, it’s in the companies’ commercial interests to 
keep the user engaged for as long as possible and this may have a 
detrimental impact on a child. 


There is an opportunity to set a bar to harmonise all legal and corporate 
content with regards to privacy and terms of use (eg. T&C’s, privacy 
notices etc) into language that a child can understand and make an 
informed choice about. Allowing the child to weigh up creating an account 
vs handing over their personal data is in support of the ‘Best interests of 
the child’. 


Q5B. about how the ICO, working with relevant stakeholders, might use 
the opportunities presented and positively address any challenges you 
have identified. 


Provision of fresh guidance. For example, guidance on for child friendly 
privacy notices. Updated guidance on how to handle parental consent. 


Q5C. about what design standards might be appropriate (ie where the bar 
should be set) in each or any of the above areas and for each or any of 
the proposed age brackets. 


For all age groups under the age of consent there should be robust age 
verification processes that link directly to a responsible adult. 


For each age group there should be easy to understand language around 


privacy, prompts and appropriate alert functions for the child to report 
inappropriate content, bullying etc. 


Q5D. examples of ISS design you consider to be good practice. 


https://www.natgeokids.com/uk/register/#!/register 


Clear registration process, asks for parent/guardian’s email if child is 
under age of consent. A good example of age verification process. 


Q5E. about any additional areas, not included in the list above that you 
think should be the subject of a design standard. 
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e Limiting screen time with locking / time-out feature to encourage 
child to take a break. 

e Ban on more than one account being set up per IP address. This will 
stop multiple accounts being set up by adults seeking to access 
children online and also stop online bullies / trolls from opening 
more than one user account to target an individual. 


Q6. If you would be interested in contributing to future solutions focussed 
work in developing the content of the code please provide the following 
information. The Commissioner is particularly interested in hearing from 
bodies representing the views of children or parents, child development 
experts and trade associations representing providers of online services 
likely to be accessed by children, in this respect. 


Nene: as 
Email: 


Brief summary of what you think you could offer: 


E: vould be 
able to offer views of UK parents via surveys, polls and opinion pieces, my 
own views and 
also specialist knowledge working in privacy with a particular interest in 
children’s privacy and their holistic digital experience, to include screen 
time, physical, mental and emotional well-being whilst engaging in digital 
and on-line activities. 


I have written a number of pieces for O children in 


digital, am regularly on TV and national radio discussing these issues and 
will continue to advocate for safeguarding of children online. 


Further views and evidence 


Q7. Please provide any other views or evidence you have that you 
consider to be relevant to this call for evidence. 
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Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 


A body representing the views or interests of parents? 
Please specify: 
and 


A child development expert? 
Please specify: 


A provider of ISS likely to be accessed by children? 
Please specify: 


A trade association representing ISS providers? 
Please specify: 


An ICO employee? 


Other? 

Please specify: 

Associate of i «ata protection compliance 
consultancy with a particular interest in children’s 
privacy. 
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Thank you for responding to this call for evidence. 
We value your input. 
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